On Mon, 1 Apr 2002, Dr. Shim wrote: > I have a variable which is appeneded to the end of a URL, like > > http://www.your_web_site.com/your_page/?your_variable=your_value > > This would return "your_value"; > > echo $your_variable; > > But this wouldn't work, and returns an error > > $sql = "SELECT * FROM fldField WHERE IDField = " . $id;
Consider yourself lucky. Taking a variable supplied by a user and dumping it into a SQL query like that is basically the same as printing your database password on your front page. If it's a number, take intval() of it. If it's a string, addslashes() it or make sure that magic_quotes_gpc is on. And take your user-posted variables from $_REQUEST rather than from the variables that get created automatically (which you should turn off unless you REALLY know what you're doing because it's a dangerous feature). miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php